Posts Tagged ‘DNS hijack’

Heres a support case which took some tracking down to resolve. A customer called saying that they were getting a warning about their browser being out of date, and a lot of ‘page cant be displayed’ errors. So we got their 2 machines in the office, updated the web browsers, cleaned off some junk software and things that could be causing issues, tested and the systems were fine. The customer then returned home.
We then got a follow up call to say they were still getting the warning – but it was about Flash Player being out of date. First point when I started to think something else is going on – as it left us working fine !
I decided to go onsite and see it myself. At the customers place it was as they said – and when I tried to go to any search page (eg www.google.com) it would try to download a setup.exe file FROM the page it was going to eg. http://www.google.com/setup.exe (or bing.com – same thing). And the AV on the machine would block the page as being malicious. I have seen many browser hijacks but never one that is able to keep the domain name at the start (they always redirect to dodgybros.com and then try to get you to download the virus). So did their system have a rootkit we had missed ? Or was something hacked at their ISP ? I needed another look.
Back at the office – the system worked perfectly. We even had a look at the setup.exe file that was in the AV quaratine and it was a Password Stealer/Keylogger. But it had been blocked so the system wasn’t infected. Only answer that made sense – it was an issue at the customers location somehow. And during this time we had another customer contact us with the same issue – so we needed to find out what was going on and how to resolve.
I took my notebook as well back to the customers place to have a clean machine and test. Plugged their systems in and now they were just getting ‘ page can’t be displayed’ to most requests. I had a suspicion that something was going on with DNS as I could not see how else the www.google.com/setup.exe hijack was happening. So I decided to have a look at the IP config of the PC. here is what it showed -

On that screen I noticed something very wrong. Any normal home modem will hand out the DNS Server address as itself. So 192.168.1.1. What were these other 2 DNS – 23.253.94.129 and 128.199.225.64 in place of what should have been there ? Now the trail to the issue was becoming clear. On my notebook I set the DNS to use google (8.8.8.8/8.8.4.4) and things worked perfectly. So I did a quick search and found that those DNS addresses were know compromised or hacker DNS servers. FOUND IT !As a quick explanation – a DNS server changes the address you type in your web browser (eg www.google.com) into an IP address that allows the request to travel across the internet to the correct machine (eg the google web server), since the internet is linked via IP addresses NOT names. Normally you would use your ISPs DNS server (which you modem does for you automatically in the background). BUT if you are using compromised DNS servers, they can send you anywhere. And in this case they are sending customer requests for search engines to infected websites. The reason why we were getting ‘page can’t be displayed’ messages now was that those servers had been shutdown (probably by the hosts who manages them once they found out).So now its time to fix the issue. I attempted to log in to the modem so I could fix the config that I assumed had been changed by the hackers – and the usual password did not work. Again a warning light that I had found the issue. The customer had not changed the password, so the hacker had ! I was left no choice but to do a factory reset and reconfigure the modem. Now the network was all fine again. But how did they get into the modem ? The PCs didnt seem infected – so I had a guess it was the web interface of the modem. Then I found (to my major concern) that this model had the web interface turned ON by default – and to turn it OFF you had to create an ACL (access control list) to block external access to it ! No normal home user would have a hope of setting that up, and I consider that a major security issue. All modems I can remember always have web (external) access to the modem OFF by default, and you need to turn it on if you want to access the modem across the internet. Thats the safe way for it to be. So I locked down the modem and now they are secure again.So what was done ? Hackers had used (I would guess) some IP subnet sweeping software looking for port 80 open on any links. Then they would try generic name/password combos on the modems and if they got into any of them – they would then change the DNS config so all machines in the network talked to the infected DNS servers. A situation which should never have happened if manufacturers maintained a simple standard of WEB access on ADSL modems being OFF by default.
The other customer we were contacted by was the same issue – so now we knew how to address it by resetting the modem to factory and setting them up again (and locking the web/external access down). An interesting lesson in tracing the fault and how hackers work.